Merge pull request smallstep#788 from smallstep/herman/allow-deny

Add allow/deny policy for x509 SANs and SSH Principals

Author: hslatman

acme/account.go

@@ -7,6 +7,8 @@ import (
 	"time"
 
 	"go.step.sm/crypto/jose"
+
+	"github.com/smallstep/certificates/authority/policy"
 )
 
 // Account is a subset of the internal account type containing only those
@@ -43,15 +45,63 @@ func KeyToID(jwk *jose.JSONWebKey) (string, error) {
 	return base64.RawURLEncoding.EncodeToString(kid), nil
 }
 
+// PolicyNames contains ACME account level policy names
+type PolicyNames struct {
+	DNSNames []string `json:"dns"`
+	IPRanges []string `json:"ips"`
+}
+
+// X509Policy contains ACME account level X.509 policy
+type X509Policy struct {
+	Allowed            PolicyNames `json:"allow"`
+	Denied             PolicyNames `json:"deny"`
+	AllowWildcardNames bool        `json:"allowWildcardNames"`
+}
+
+// Policy is an ACME Account level policy
+type Policy struct {
+	X509 X509Policy `json:"x509"`
+}
+
+func (p *Policy) GetAllowedNameOptions() *policy.X509NameOptions {
+	if p == nil {
+		return nil
+	}
+	return &policy.X509NameOptions{
+		DNSDomains: p.X509.Allowed.DNSNames,
+		IPRanges:   p.X509.Allowed.IPRanges,
+	}
+}
+func (p *Policy) GetDeniedNameOptions() *policy.X509NameOptions {
+	if p == nil {
+		return nil
+	}
+	return &policy.X509NameOptions{
+		DNSDomains: p.X509.Denied.DNSNames,
+		IPRanges:   p.X509.Denied.IPRanges,
+	}
+}
+
+// AreWildcardNamesAllowed returns if wildcard names
+// like *.example.com are allowed to be signed.
+// Defaults to false.
+func (p *Policy) AreWildcardNamesAllowed() bool {
+	if p == nil {
+		return false
+	}
+	return p.X509.AllowWildcardNames
+}
+
 // ExternalAccountKey is an ACME External Account Binding key.
 type ExternalAccountKey struct {
 	ID            string    `json:"id"`
 	ProvisionerID string    `json:"provisionerID"`
 	Reference     string    `json:"reference"`
 	AccountID     string    `json:"-"`
-	KeyBytes      []byte    `json:"-"`
+	HmacKey       []byte    `json:"-"`
 	CreatedAt     time.Time `json:"createdAt"`
 	BoundAt       time.Time `json:"boundAt,omitempty"`
+	Policy        *Policy   `json:"policy,omitempty"`
 }
 
 // AlreadyBound returns whether this EAK is already bound to
@@ -68,6 +118,6 @@ func (eak *ExternalAccountKey) BindTo(account *Account) error {
 	}
 	eak.AccountID = account.ID
 	eak.BoundAt = time.Now()
-	eak.KeyBytes = []byte{} // clearing the key bytes; can only be used once
+	eak.HmacKey = []byte{} // clearing the key bytes; can only be used once
 	return nil
 }

acme/account_test.go

@@ -7,8 +7,9 @@ import (
 	"time"
 
 	"github.com/pkg/errors"
-	"github.com/smallstep/assert"
 	"go.step.sm/crypto/jose"
+
+	"github.com/smallstep/assert"
 )
 
 func TestKeyToID(t *testing.T) {
@@ -95,7 +96,7 @@ func TestExternalAccountKey_BindTo(t *testing.T) {
 				ID:            "eakID",
 				ProvisionerID: "provID",
 				Reference:     "ref",
-				KeyBytes:      []byte{1, 3, 3, 7},
+				HmacKey:       []byte{1, 3, 3, 7},
 			},
 			acct: &Account{
 				ID: "accountID",
@@ -108,7 +109,7 @@ func TestExternalAccountKey_BindTo(t *testing.T) {
 				ID:            "eakID",
 				ProvisionerID: "provID",
 				Reference:     "ref",
-				KeyBytes:      []byte{1, 3, 3, 7},
+				HmacKey:       []byte{1, 3, 3, 7},
 				AccountID:     "someAccountID",
 				BoundAt:       boundAt,
 			},
@@ -138,7 +139,7 @@ func TestExternalAccountKey_BindTo(t *testing.T) {
 				assert.Equals(t, ae.Subproblems, tt.err.Subproblems)
 			} else {
 				assert.Equals(t, eak.AccountID, acct.ID)
-				assert.Equals(t, eak.KeyBytes, []byte{})
+				assert.Equals(t, eak.HmacKey, []byte{})
 				assert.NotNil(t, eak.BoundAt)
 			}
 		})

acme/api/account.go

@@ -131,8 +131,7 @@ func (h *Handler) NewAccount(w http.ResponseWriter, r *http.Request) {
 		}
 
 		if eak != nil { // means that we have a (valid) External Account Binding key that should be bound, updated and sent in the response
-			err := eak.BindTo(acc)
-			if err != nil {
+			if err := eak.BindTo(acc); err != nil {
 				render.Error(w, err)
 				return
 			}

acme/api/account_test.go

@@ -13,10 +13,12 @@ import (
 
 	"github.com/go-chi/chi"
 	"github.com/pkg/errors"
+
+	"go.step.sm/crypto/jose"
+
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/acme"
 	"github.com/smallstep/certificates/authority/provisioner"
-	"go.step.sm/crypto/jose"
 )
 
 var (
@@ -41,6 +43,19 @@ func newProv() acme.Provisioner {
 	return p
 }
 
+func newProvWithOptions(options *provisioner.Options) acme.Provisioner {
+	// Initialize provisioners
+	p := &provisioner.ACME{
+		Type:    "ACME",
+		Name:    "test@acme-<test>provisioner.com",
+		Options: options,
+	}
+	if err := p.Init(provisioner.Config{Claims: globalProvisionerClaims}); err != nil {
+		fmt.Printf("%v", err)
+	}
+	return p
+}
+
 func newACMEProv(t *testing.T) *provisioner.ACME {
 	p := newProv()
 	a, ok := p.(*provisioner.ACME)
@@ -50,6 +65,15 @@ func newACMEProv(t *testing.T) *provisioner.ACME {
 	return a
 }
 
+func newACMEProvWithOptions(t *testing.T, options *provisioner.Options) *provisioner.ACME {
+	p := newProvWithOptions(options)
+	a, ok := p.(*provisioner.ACME)
+	if !ok {
+		t.Fatal("not a valid ACME provisioner")
+	}
+	return a
+}
+
 func createEABJWS(jwk *jose.JSONWebKey, hmacKey []byte, keyID, u string) (*jose.JSONWebSignature, error) {
 	signer, err := jose.NewSigner(
 		jose.SigningKey{
@@ -558,7 +582,7 @@ func TestHandler_NewAccount(t *testing.T) {
 				ID:            "eakID",
 				ProvisionerID: provID,
 				Reference:     "testeak",
-				KeyBytes:      []byte{1, 3, 3, 7},
+				HmacKey:       []byte{1, 3, 3, 7},
 				CreatedAt:     time.Now(),
 			}
 			return test{
@@ -735,7 +759,7 @@ func TestHandler_NewAccount(t *testing.T) {
 							ID:            "eakID",
 							ProvisionerID: provID,
 							Reference:     "testeak",
-							KeyBytes:      []byte{1, 3, 3, 7},
+							HmacKey:       []byte{1, 3, 3, 7},
 							CreatedAt:     time.Now(),
 						}, nil
 					},

acme/api/eab.go

@@ -4,8 +4,9 @@ import (
 	"context"
 	"encoding/json"
 
-	"github.com/smallstep/certificates/acme"
 	"go.step.sm/crypto/jose"
+
+	"github.com/smallstep/certificates/acme"
 )
 
 // ExternalAccountBinding represents the ACME externalAccountBinding JWS
@@ -55,11 +56,19 @@ func (h *Handler) validateExternalAccountBinding(ctx context.Context, nar *NewAc
 		return nil, acme.WrapErrorISE(err, "error retrieving external account key")
 	}
 
+	if externalAccountKey == nil {
+		return nil, acme.NewError(acme.ErrorUnauthorizedType, "the field 'kid' references an unknown key")
+	}
+
+	if len(externalAccountKey.HmacKey) == 0 {
+		return nil, acme.NewError(acme.ErrorServerInternalType, "external account binding key with id '%s' does not have secret bytes", keyID)
+	}
+
 	if externalAccountKey.AlreadyBound() {
 		return nil, acme.NewError(acme.ErrorUnauthorizedType, "external account binding key with id '%s' was already bound to account '%s' on %s", keyID, externalAccountKey.AccountID, externalAccountKey.BoundAt)
 	}
 
-	payload, err := eabJWS.Verify(externalAccountKey.KeyBytes)
+	payload, err := eabJWS.Verify(externalAccountKey.HmacKey)
 	if err != nil {
 		return nil, acme.WrapErrorISE(err, "error verifying externalAccountBinding signature")
 	}